Author: Zen and the Art of Computer Programming
1 Introduction
Container security is a hot topic in the field of cloud computing and one of the important reasons for the popularity of container technology. This series of articles will elaborate on container security-related technologies and key technology systems, and focus on the implementation methods and countermeasures of container security in cloud native applications. It mainly includes the following aspects:
1. What is container security? 2. Overview of container security technology. 3. Container vulnerability management system. 4. Container security in cloud native applications. 5. Container security monitoring tools. 6. Open source components related to container security. 7. Suggestions on cloud native security management practices. Article structure. : This article will be divided into three parts. The first part introduces the background of the article, the second part briefly introduces the relevant concepts and basic knowledge of container security, and the third part starts from the container security technology in cloud native applications.
2. Explanation of basic concepts and terms
2.1 Conceptual terminology
2.1.1 Docker
Docker is an open source application container engine that can easily package, run and publish any number of application containers. Docker packages the application with the program's dependencies, library files and configuration files. Through image files, users can run different versions or different programs in the same environment without worrying about running environment problems.
2.1.2 Cgroups
Cgroups (control group) is a mechanism provided by the Linux kernel that allows administrators to limit, record, and isolate resources (such as memory, CPU, etc.) for tasks (Process). By setting Cgroups, you can limit and record the usage of specific process groups or system resources. Cgroups can provide refined resource control capabilities and can be used to deploy complex multi-tenant clusters, service-level resource allocation, and priority scheduling.
2.1.3 Pod
Pod is the smallest unit used to encapsulate multiple business containers on K8s. It contains one or more containers, storage resources, network resources, and some attributes and labels. Pods are designed to automate the deployment, scaling, and management of containerized applications. Each Pod contains one or more containers, sharing storage resources and network resources. When the container needs to be expanded, the CPU and memory usage of the Pod can be adjusted through the declared resource limits; if the container cannot be started due to insufficient resources or CrashLoopBackOff, K8s will reschedule other containers on the Pod.
2.1.4 Kubernetes
Kubernetes (K8s) is an open source container cluster management system based on the cloud platform proposed by Google in 2014. It provides simple and easy-to-use automated equipment, elastic scaling and self-healing mechanisms, can manage clusters of more than 10,000 nodes, and provides rich APIs to support other container cluster management frameworks. It supports single-responsibility workloads, as well as diverse workloads across hosts, such as batch jobs and distributed data analysis.
2.1.5 Open Policy Agent(OPA)
Open Policy Agent (OPA) is a project under the CNCF Foundation. It is a high-performance policy engine designed to allow developers and organizations to easily formulate complex access control and decision-making logic. Its functions revolve around four main aspects: rule definition, query language, data model and data abstraction. OPA can be integrated into a variety of tools and processes, including CI/CD systems, webhooks, API gateways, microservices architectures, and Infrastructure as Code (IaC) tools, and is already a member of the Cloud Native Computing Foundation (CNCF).
2.1.6 SELinux
SELinux (Security-Enhanced Linux) is a security system for strengthening the Linux operating system. It was developed by the National Security Agency (NSA) in Linux distributions to enhance the security of the system. Currently, SELinux has been widely used in many Linux distributions, including Red Hat, CentOS, Ubuntu, etc. After SELinux is deployed, the system will implement stricter permission control and limit the scope of user operations to ensure system security.
2.2 Core technical principles
2.2.1 Linux Namespace Technology
The Linux Namespace mechanism, also known as namespace, is a function in the Linux operating system. It provides an independent, hierarchical file system and network stack, allowing the system to have multiple independent but mutually independent Container (Namespace). Namespace is mainly used to solve the problem of resource isolation between processes. By dividing the resources belonging to the process into different namespaces, it can effectively avoid interference between processes, thereby achieving the purpose of process isolation. Linux Namespace provides five namespaces:
- UTS (UNIX Timesharing System) namespace: hostname and domainname are independent and will not affect each other.
- MNT (Mount) namespace: an independent file system tree without affecting each other.
- PID (Process Isolation) namespace: separate process list and will not affect each other.
- USER (User Isolation) namespace: separates users and user groups without affecting each other.
- NET (Network Isolation) namespace: separate network devices, network stacks, ports, etc. without affecting each other.
2.2.2 AppArmor mechanism
AppArmor (Applicaton Armor) is a Linux kernel module that can be used to control the behavior of applications on the host system and prevent malicious programs from attacking and damaging the system. AppArmor can define rules through configuration files. These rules will be loaded into the kernel. When the process is started, corresponding restrictions will be made based on the configuration items. AppArmor has several access control modes:
- Execution permission control: Only specified programs can be executed.
- File access control: Only specified files can be read or written.
- Memory access control: Only the memory area at the specified address can be accessed.
- Network access control: Only the specified IP or domain name is allowed to access the specified port.
- capability control: only allow specific linux capabilities operations.
AppArmor is an open source project and the source code has been hosted by FSF. AppArmor can be integrated into the Linux kernel as a security module, so no additional installation is required and it can be enabled directly at system startup. AppArmor can protect containers, virtual machines and even ordinary processes, but there is also a certain performance loss.
2.2.3 Container Runtime
Container runtime refers to software that can truly implement container technology. Container runtimes usually include Docker, containerd, crio, rkt, kubernetes, etc., which respectively correspond to different container technologies. The Docker project launched the Docker engine, whose role is to manage containers.
For traditional virtual machine technology, the emergence of container technology is mainly to simplify deployment, reduce resource consumption and improve efficiency. Traditional virtual machine technology requires the creation of a complete operating system before it can run applications. However, container technology does not need to simulate the entire operating system, but only needs to isolate application processes to maximize resource utilization. Another important feature of container technology is "build once, run anywhere", which means that developers can create container images and run the same container whether on a laptop or a server.
2.2.4 Container security technology
2.2.4.1 Host-based defense
Traditional defense methods use hardware (such as hard drives, audit logs, etc.) and network isolation measures to prevent unauthorized access. However, this defense method is often relatively static and difficult to deal with dynamically changing threats. In addition, cloud computing service vendors are also constantly improving security prevention levels, such as AWS's Trusted Advisor service and Azure's Defender service.
Host-based defense modifies the operating system kernel and adds new security policies to resist attacks on container technology. The most famous example is that proposed by Google's Brian Gough, Docker provides a more secure solution through host-based isolation. Before the emergence of container technology, virtual machine technology already had the flaw of hardware isolation. If the host is attacked by external malicious attacks, the virtual machine will also be vulnerable to attacks.
2.2.4.2 Whitelist defense
Whitelist defense is based on the whitelist (Allow List) mechanism, which sets a series of legal and tested container images. Only these images are allowed to run, and all other images are prohibited from running. This helps reduce the attack surface that the running environment may be subject to and ensures the stability of the container runtime.
The flaw of whitelist defense is that every time a whitelist rule is added, it takes a certain amount of time to verify whether the rule is valid. In addition, the whitelist mechanism is often used in conjunction with privileged mode, so it may cause excessive security risks.
2.2.4.3 Defense in Depth
Defense in Depth is a security strategy that is iterated and gradually upgraded. Defense-in-depth strategies are often implemented through a combination of multiple security technologies, including container engines, container orchestration tools, operating systems, hosts, applications, and networks. Improvements at every step are always backwards and forwards compatible and difficult to detect. Defense in depth can respond to complex attacks, detect and respond to attacks faster, and provide attackers with high-availability services.
2.2.4.4 Use encrypted transmission
Encrypted transmission is to ensure the confidentiality, integrity and non-tamperability of data, and the data is encrypted and transmitted through various secure encryption protocols (such as HTTPS, TLS, SSH, etc.). Encrypted transmissions resist man-in-the-middle attacks, eavesdropping, and man-in-the-middle attempts to obtain data. Additionally, container networking uses encrypted transport protocols by default, so any unencrypted data cannot be seen.
2.2.4.5 Do not run unknown binaries
Running unknown binary programs often brings risks, so the container platform must verify the signature of the binary program, and only authorized programs can run. Signature verification can also prevent malicious code from attacking the container platform.
2.2.4.6 Application layer reinforcement
Application layer hardening (Application Defenses) is to protect the application itself during the runtime stage, mainly including script filtering, bytecode obfuscation, sandbox isolation and other methods. Protect sensitive data by hijacking input and output streams. Application layer hardening can reduce attacks by malicious programs on the container platform and improve the overall security of the container platform.
2.2.4.7 Network layer defense
Communication within the container platform needs to pass through the network, and network layer security (Network Security) defense is particularly important. Network layer security defense includes IPSec, VPN, Firewall and other technologies. IPSec is a data encryption technology based on the IP protocol that can encrypt traffic between containers. VPN establishes a dedicated channel to implement encrypted communication between containers. Firewall blocks unauthorized inbound and outbound traffic.
In addition to network layer defense, container platforms also need to consider host-level defense, such as host isolation, host tracking, and host persistence. Host isolation can help prevent malicious programs from attacking hosts, and host tracing can identify abnormal system behavior. Host persistence enables recovery of malicious files and provides reliable system backup.
2.2.4.8 Data Center Isolation
Data Center Isolation is an important issue in the field of cloud computing. In order to reduce costs and improve security, cloud vendors will deploy multiple data centers among multiple physical data centers, thus forming a heterogeneous network environment. In order to ensure the security of cloud computing services, cloud vendors will isolate data centers.
There are many methods for data center isolation, including Layer 2 network isolation, Layer 3 network isolation, network virtualization, border router isolation, and server isolation. Layer 2 network isolation is the most commonly used isolation method. The data center network is divided into multiple subnets through VLAN technology, and then the container platform is deployed to different subnets. Three-layer network isolation can isolate different types of traffic respectively, improving the effect of network isolation. Network virtualization technology can use software or hardware to achieve network isolation, and border router isolation can deploy container platforms to border routers. Finally, server isolation is a hardware isolation technology that implements isolation of servers and container platforms by setting up servers on different physical machines.
In general, the implementation of container security can be considered from two dimensions, one is host-based defense, and the other is application layer defense. Host-based defense can be implemented from the operating system kernel, as well as container engines, and even cloud service providers. Application layer defense can protect applications at runtime or even during deployment.